Prestashop software is harvesting your email for spam

[dissatisfied]

Just a warning to anyone using or thinking about using Prestashop: without warning or permission, the software sends the email address you set in "Shop email" to Prestashop.com, and they will use it to spam you. Disgusting.

From a cursory search, it seems the offending code can be found in admin/ajax.php, line 613. Commenting out that line causes some of the Prestashop.com-related sidebars not to load in the admin dashboard, but doesn't seem to do any harm to anything.

Avoid this shopping cart until they fix this and promise to delete every single email they've harvested in this manner.

[devilsown]

but the file is only 602 lines long ?

[core-]

if i've got so complex software for free and also have permission to remove their tm from the pages and even to claim the shop software is powered by me, i think it's a bit below good taste to complain about a couple of advertising e-mails, sent by PS and about PS.

that's my 2c.

[dissatisfied]

but the file is only 602 lines long ?

Perhaps you are not using the latest version. Here, search for PS_SHOP_EMAIL, it's right at the end of the file: http://svn.prestashop.com/trunk/admin-dev/ajax.php

if i've got so complex software for free and also have permission to remove their tm from the pages and even to claim the shop software is powered by me, i think it's a bit below good taste to complain about a couple of advertising e-mails, sent by PS and about PS.

Not at all. They are pulling private data from our shopping cart back ends without any kind of notice or permission; that is rude at the very least, and a security breach at the worst.

Moreover, the spam they're sending does not have an "unsubscribe" link or any other instructions on how to remove yourself from their email list. Totally disgusting behavior that is the domain of V1agr4 spammers, not legitimate organizations.

[jhnstcks]

Where in the code

    $content = @file_get_contents('https://www.prestashop.com/partner/preactivation/preactivation-block.php?version=1.0&shop;='.urlencode(Configuration::get('PS_SHOP_NAME')).'&protocol;='.$protocol.'&url;='.urlencode($_SERVER['HTTP_HOST']).'&iso;_country='.$isoCountry.'&iso;_lang='.Tools::strtolower($isoUser).'&id;_lang='.(int)$cookie->id_lang.'&email;='.urlencode(Configuration::get('PS_SHOP_EMAIL')).'&date;_creation='._PS_CREATION_DATE_.'&v;='._PS_VERSION_.'&security;='.md5(Configuration::get('PS_SHOP_EMAIL')._COOKIE_IV_), false, $context);

does it pass anything onto the guys at Prestashop?

The emails you are receiving from Prestashop (The weekly updates) are sent to the email addresses that you entered on the download page.

[dissatisfied]

Where in the code does it pass anything onto the guys at Prestashop?

The emails you are receiving from Prestashop (The weekly updates) are sent to the email addresses that you entered on the download page.

Uh, the

&email;='.urlencode(Configuration::get('PS_SHOP_EMAIL'))

part?

I never downloaded Prestashop from your download page (nor would I have put my actual email address in there if I had). My mailbox is a catchall for my domain, so I use unique email addresses for different purposes (for example, I would register at Amazon.com using the address [email protected]). When I set up my Prestashop install, I used a unique email address in the "Shop e-mail" field - and that is the email address that is now getting spam.

I did a search through the Prestashop code for PS_SHOP_EMAIL, and the above code (which is run every time the back office dashboard is loaded) came up. It very clearly sends the contents of the PS_SHOP_EMAIL field to Prestashop.com; the only logical conclusion I can come to is that Prestashop.com is adding these email addresses to their marketing database. Either that or you pulled the unique email I created straight out of my mind, but I'm not ready to put on a tinfoil hat quite yet.

[jhnstcks]

That piece of code only adds your login email into your sql database and doesnt pass it to anyone else. So I will ask you again, where in that piece of code is your email address passed onto Prestashop.

I have had a lot of different Prestashop sites all using various different email addresses, none of which have ever received any emails from Prestashop, if they were using login emails to spam people then I would have expected it on all these emails.

The field PS_SHOP_EMAIL in the configuration table has been included in every version of Prestashop I have seen so far, and i have been using Prestashop since before v1 was released. If they were using these email address to send out spam then I would of expected more people to come forward with complaints

[dissatisfied]

That piece of code only adds your login email into your sql database and doesnt pass it to anyone else. So I will ask you again, where in that piece of code is your email address passed onto Prestashop.

I have had a lot of different Prestashop sites all using various different email addresses, none of which have ever received any emails from Prestashop, if they were using login emails to spam people then I would have expected it on all these emails.

The field PS_SHOP_EMAIL in the configuration table has been included in every version of Prestashop I have seen so far, and i have been using Prestashop since before v1 was released. If they were using these email address to send out spam then I would of expected more people to come forward with complaints

You need a better understanding of programming before you make definitive statements about code you've posted. That chunk of code *gets* the email from the database, and then inserts it into a query string (along with other information like your shop's name) and that query string is sent to Prestashop.com.

It is used to return data for the News and Partners boxes in the sidebar of the back office dashboard. Why they need your email and shop name to return a list of news links, I can't imagine.

Where else do you propose Prestashop.com got the unique address I used in my shop?

[ChrisLNZ]

@dissatisfied

And just how were you able to download a copy of the prestashop installation without supplying (required) your email address to step through the download process?

[PrestaSupport]

Email etc is not required for a download, try and just push the download button and skip the other fields

[core-]

They are pulling private data from our shopping cart back ends without any kind of notice or permission; that is rude at the very least, and a security breach at the worst.

Private data?
In exchange for so comprehensive e-commerce solution they're pulling what? Our email and store name. To do what? Send us 1 e-mail a week (and those e-mails are actually informative about PS /this way for instance i learned that a new version has been released and what improvements it contains/).
Extremely high price indeed.

So if something is rude here, it's your behavior.

Btw. i tried to use osCommerce before PS, but it lacks an important feature that a community member offered to solve for 200$ minimum (wasn't cited what could be the maximum).
Sort of this feature i have in PS for free.
Ohh oops, not free, i have to receive 1 e-mail a week.

p.s.
Instead of the “unsubscribe” link, you can put it in the spam filter, and your problems will be gone.
This also can be done by a satisfied one, but it takes a certain lack of professional morals.

[leszekem]

core- u r right
not free, i have to receive 1 e-mail too...

[PrestaSupport]

Pts.. I got one letter too :b

[dissatisfied]

So if something is rude here, it's your behavior.

It is rude of me to let people know that Prestashop is harvesting their email addresses without their knowledge or permission? You have a strange definition of rude.

In exchange for so comprehensive e-commerce solution they're pulling what? Our email and store name. To do what? Send us 1 e-mail a week (and those e-mails are actually informative about PS /this way for instance i learned that a new version has been released and what improvements it contains/).
Extremely high price indeed.

A price is what you pay for a good or service with knowledge and consent. If I give you what I say is a free car and later take your computer from your home without your permission, that is not a "price" you have to pay because hey, you got a car! It is a crime.

According to both US law and French law, both harvesting emails without permission AND sending spam without a way to unsubscribe are more than just rude, those actions are *against the law*.

*US Law*:
* The law provides for criminal penalties – including imprisonment – for... harvesting email addresses
* Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future.

*French Law*:
* The person must, at the time of collection of his e-mail address be informed that his email address will be used, and
be able to object to this use in an easy way.
* each email message must ... propose a simple way to oppose the receipt of new requests (eg unsubscribe link at the end).

[leszekem]

good moment to read terms and conditions..

[ChrisLNZ]

The PS newsletter email has this in the footer:
IF YOU DO NOT WANT TO RECEIVE ANY FURTHER MESSAGES FROM PRESTASHOP, WE INVITE YOU TO EXERCISED YOUR RIGHT TO UNSUBSCRIBE BY CLICKING HERE.

[Patric]

Hello everyone,

We would like to inform our PrestaShop users that their names and addresses are never given to any third parties.

Once you have installed the software, you will receive an automatic welcome email with information and advice for starting your online retail business.

In order to keep you informed on news and updates from PrestaShop, you will also receive a weekly newsletter.

If you don't want to receive the newsletter, just click on the 'unsubscribe' link at the bottom of the page.

PrestaShop is an open-source software, and its success is due to its community. Therefore, we want to ensure your complete satisfaction and we apologize for any inconvenience.

[dissatisfied]

Glad to see you admitting you take people's email and spam them. I hope you realize that inserting this "I would like to inform our PrestaShop users..." in one since forum thread does not in fact inform all the users you've been havesting email addresses from.

As to those who say I should use the unsubscribe link, there was none in the spam that was sent to me (I've attached a shot of the end of the email as evidence). Additionally, the spam indicates some kind of relationship with PayPal; it comes from the address [email protected] and is heavily oriented towards pushing Paypal's services. Whether or not PrestaShop is giving the email info to third parties, they are definitely harvesting our information to push third-party services.

Lastly, I just got spam to the email address I used to sign up for these forums. As before, there was no indication during signup (including in the terms and conditions) that the email address entered would be used to send spam. Once again PrestaShop is violating both US and French law. On a positive note, at least this one contained an unsubscribe link.

[Asenar]

Hi,

 

About the "paypal-j8" thing, it's a really big problem of communication: first of all, this is absolutely not a newsletter, and paypal doesn't have your email. We changed the expeditor to "[email protected]" because it's not about paypal only : there is link to the forum, to the support site. Only the last part is related to Paypal, one of our best partner. And this email is collected at the end of the installation process (not forum or download)

 

Paypal is a partner of PrestaShop, and to thanks him for his financial support, we send a welcome message to new users who installed our solution : At the end of the installation, the mail is programmed (in our server, prestashop.com ) to be sent 8 days later.

 

There is no subscribe link because it's a one-shot action, and if you install PrestaShop several times with the same email, you will only receive it once.

 

About haversting mail from forum inscription, I don't know about today, but when I registered with my personal account it wasn't the case.

 

 

If you have more comments to make don't hesitate to add them here (or you can also send me a mail or a private message if you prefer )

 

Regards,

[ScubaLessonsInc]

You selfish inconsiderate person.. 1st your getting thousands and thousands of dollars in free software.
I think they have earned the right to email you..not that they are doing it any way but legitimately and there is an unsubscribe link.. check your facts first man.. and even if there was not, is your poor delete finger broken or something?
Man up and quit covetching.. we don't want to hear it. Most of us are extremely grateful to the coders putting in countless hours to create amazing software that does the job and they support it here!

[Asenar]

Hi Tina,

thanks a lot for your support, but the fact is we (PrestaShop) didn't make things right in terms of communications. It's look likes we shared users mails, but it's absolutely not the case.

PrestaShop is free and open source. It's not a good reason for sending mails (newsletter, spam or pertinent information whatever) without informing the community. Also we were wrong by putting the sender as "paypal-j8@prestashop", specially because we (and not paypal) who send the mail and we don't give your mail to anyone.

The mail (which is not a newsletter and sended only one time, sorry again we didn't mention it) contains some tips, and useful links. As PayPal is one of our best supporter, we (of course ! ) encourage people to use it.

Everyone is free to post something we forgot to mention here, personally I consider this discussion over (and I will unsubscribe to it by simply clicking etc. ).

[dissatisfied]

It is worth noting that this code in admin/ajax.php that I pointed out was the code responsible for the recent security issues. As I noted before, in addition to sending your email address, shop name, and url to Prestashop.com, this code loads data to be displayed in your back office dashboard. This data was not properly validated, allowing the hackers to inject their own code into each of our servers once they took over the script at Prestashop.com.

 

Based on this, it is important to note that even for shops that did not have malicious files downloaded to them, the hackers may have the shop email address, along with some other shop information (language, shop name, etc.). Depending on how long the hackers were in control of Prestashop.com's script, they may have a database of thousands or tens of thousands of emails and other data for known-active shops.

 

The reason this matters (and it seems I need to explain this because nobody as yet has cared that the shop software sends out shop information willy-nilly) is a database like that is perfect for sending targeted, legitimate-looking emails for phishing purposes. The official Prestashop security notice gives no warning of this (or even that the hackers may have your email address even if you weren't visibly hacked. Why? Perhaps it would make it too explicit that their own script has been gathering your data).

 

Every Prestashop user should be wary of any email coming to their shop address purporting to come from Prestashop.com, their own Prestashop install, or any other source wherein the message references their shop. Follow the usual safety guidelines: never respond to an email requesting any passwords, usernames, or related data; never click a link in an email and "log in" at the resulting page (enter your shop admin url or Prestashop.com into your browser manually instead); and especially be aware of any potentially false "security alerts" instructing you to enter information into any websites or upload files to or otherwise alter your shop install - always double-check those are legitimate by visiting Prestashop.com.

 

These are rules you should be following on a daily basis anyway, but many don't and it may be especially important now.

 

I hope the Prestashop admins will see fit to include some kind of warning about potential phishing attacks in their security notice.

[indus]

My shop email is set to [email protected] .Maybe that is why i dont get emails cos its a non existent email address.